In one embodiment, a computer implemented method provides a client computing device network access to a private network by a network traffic manager, and the method includes: obtaining context parameters related to a context of the client computing device; selecting as a function of the context parameters one or more policies as selected policies, wherein each policy is associated with one or more network entitlement rules defining network access rules to a networking device or an application in the private network according to the policy; retrieving the one or more network entitlement rules associated with the selected policies; and providing the network traffic manager with the one or more network entitlement rules, thereby providing the client computing device the network access.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer implemented method for providing network access for a client computing device to a private network by a network traffic manager, the method comprising: obtaining, by a first networking device from the client computing device, context parameters related to a context of the client computing device; selecting, by the first networking device, as a function of the context parameters, one or more policies as selected policies, wherein each policy is associated with one or more network entitlement rules defining network access rules for a networking device or an application in the private network according to the policy; retrieving, by the first networking device, the one or more network entitlement rules associated with the selected policies; and providing, by the first networking device, the one or more network entitlement rules to the client computing device upon authentication of the client computing device with the first networking device, wherein the one or more network entitlement rules are not alterable by the client computing device, and the client computing device to provide the one or more network entitlement rules to the network traffic manager, thereby providing the network access for the client computing device.
A computer-implemented method enables a client device to access a private network via a network traffic manager. First, a networking device obtains context parameters from the client device, reflecting the client's current state (e.g., device type, location). Based on these parameters, the networking device selects one or more policies. Each policy contains network entitlement rules that define allowed network access to specific devices or applications within the private network. The networking device retrieves these rules and provides them to the client device only after authentication, ensuring that these rules cannot be altered by the client. The client device then forwards these rules to the network traffic manager, which grants network access accordingly.
2. The method of claim 1 , wherein the selecting comprises performing a predefined logical combination of the context parameters.
In the method for providing network access based on client context parameters, selecting relevant policies involves applying a predefined logical combination of these context parameters. For example, the system might combine the device's location and the user's role using AND/OR operators to determine the appropriate security policy to enforce, granting different network access based on this combined context.
3. The method of claim 1 , wherein the selecting comprises performing a predefined Boolean combination of the context parameters.
In the method for providing network access based on client context parameters, selecting relevant policies involves applying a predefined Boolean combination of these context parameters. This uses Boolean logic (AND, OR, NOT) to evaluate context parameters and determine policy selection. For instance, if the device is within the corporate network AND the user is an administrator, a specific policy with elevated privileges will be applied.
4. The method of claim 1 , wherein the context parameters comprise at least one of: a device parameter indicative for a state or property of the client computing device; a user parameter indicative for a property of a user of the client computing device; or a system parameter indicative for a property of a framework configuration of the client computing device.
In the method for providing network access based on client context parameters, the context parameters used to determine network access policies include device parameters (state/property of the client, e.g., device type, OS version), user parameters (property of the user, e.g., role, group membership), and system parameters (property of the client's framework/configuration, e.g., time of day, login history). These parameters provide a comprehensive view of the client's context.
5. The method of claim 4 , wherein the device parameter comprises at least one of: a network address of the client computing device, a certificate of the client computing device, local firewall configuration information, or information related to a networking interface configuration of the client computing device.
In the method for providing network access, the device parameter includes information about the client device, such as its network address (IP or MAC), security certificates, local firewall configuration details, or networking interface settings. This information helps in identifying and verifying the client device's security posture.
6. The method of claim 4 , wherein the user parameter comprises at least one of: user account information for the user in the private network, information on a country the user is registered in, or e-mail account information of the user.
In the method for providing network access, the user parameter includes information about the user of the client device, such as their user account details within the private network, their registered country, or their email account information. This data helps in tailoring network access based on the user's identity and attributes.
7. The method of claim 4 , wherein the system parameter comprises at least one of: a time of the day, a login history of the client computing device, or a login history of the user of the client computing device.
In the method for providing network access, the system parameter includes contextual information such as the time of day, the login history of the client device, or the login history of the user associated with the client device. This allows for time-based access controls and security policies based on user behavior.
8. The method of claim 1 , wherein the one or more network entitlement rules are generic for any client computing device, and the retrieving further comprises assigning a networking address of the client computing device to the one or more network entitlement rules.
In the method for providing network access, the network entitlement rules are designed to be generic, applying broadly to various client devices. When retrieving these rules, the system assigns the client's specific network address to them. This allows a single rule to be adapted for use with different devices by dynamically associating it with the device's IP address.
9. The method of claim 1 , further comprising creating a predetermined set of policies, and wherein the selecting comprises selecting the selected policies from the predetermined set of policies.
In the method for providing network access, a predefined set of policies is created in advance. The process of selecting policies then involves choosing from this existing, curated set based on the context parameters. This pre-defined set allows for easier management and consistency in policy application.
10. A networking device for providing network access for a client computing device to a private network by a network traffic manager, the networking device comprising: at least one processor; and at least one memory storing instructions configured to instruct the at least one processor to: receive context parameters related to a context of the client computing device; select from the context parameters one or more policies as selected policies, wherein each policy is associated with one or more network entitlement rules defining network access rules for a networking device or an application in the private network according to the policy; retrieve the one or more network entitlement rules associated with the selected policies; and provide the one or more network entitlement rules to the client computing device, wherein the one or more network entitlement rules are not alterable by the client computing device, and the client computing device to provide the one or more network entitlement rules to the network traffic manager, thereby providing the network access for the client computing device.
A networking device facilitates client access to a private network through a network traffic manager. It comprises a processor and memory storing instructions to receive context parameters from the client, reflecting its current state. Based on these parameters, it selects policies, each containing network entitlement rules that define access to devices/applications within the private network. It retrieves these rules and provides them to the client, ensuring they cannot be altered. The client then sends these rules to the network traffic manager, which grants access accordingly.
11. A system comprising: a first networking device for providing network access for a client computing device to a private network by a network traffic manager, the first networking device comprising: at least one first processor; and at least one memory storing first instructions configured to instruct the at least one first processor to: receive context parameters related to a context of the client computing device; select, from the context parameters, one or more policies as selected policies, wherein each policy is associated with one or more network entitlement rules defining network access rules for a networking device or an application in the private network according to the policy; retrieve the one or more network entitlement rules associated with the selected policies; provide the network traffic manager with the one or more network entitlement rules, thereby providing the network access for the client computing device; and provide the one or more network entitlement rules to the client computing device upon authentication of the client computing device with the first networking device, wherein the one or more network entitlement rules are not alterable by the client computing device; and a gateway for providing network access to the private network, the gateway comprising: at least one second processor; and at least one memory storing second instructions configured to instruct the at least one second processor to: establish a networking tunnel between the gateway and the client computing device; and receive the one or more network entitlement rules from the client computing device, the network traffic manager configured to allow the network access according to the one or more network entitlement rules.
A system manages client access to a private network. It includes a networking device with a processor and memory that receives context parameters from the client, selects policies based on these parameters (each policy containing network entitlement rules), retrieves the rules, and provides them to the network traffic manager, granting access. This networking device also provides these rules to the client after authentication, preventing client alteration. A gateway, with its own processor and memory, establishes a network tunnel to the client and receives the network entitlement rules, which the network traffic manager uses to allow access.
12. The system of claim 11 , wherein: the first instructions are further configured to instruct the at least one first processor to provide a client tunnel session list to the client computing device, wherein the client tunnel session list comprises tunnel authentication information; and the second instructions are further configured to instruct the at least one second processor to establish the tunnel upon authentication of the client computing device using the tunnel authentication information.
This system provides a client computing device with network access to a private network, managed by a network traffic manager. It comprises a first networking device and a gateway. The first networking device obtains context parameters from the client, selects relevant access policies, and retrieves corresponding network entitlement rules. Upon successful authentication of the client with the first networking device, these rules are provided to both the client and the network traffic manager. Additionally, the first networking device generates and sends a "client tunnel session list" to the client, which includes specific tunnel authentication information. The gateway, responsible for establishing a secure networking tunnel between itself and the client, then uses this provided tunnel authentication information to authenticate the client and establish the secure tunnel, thereby enabling network access. ERROR (embedding): Error: Failed to save embedding: Could not find the 'embedding' column of 'patent_claims' in the schema cache
13. The system of claim 11 , wherein the one or more network entitlement rules are readable by the client computing device.
In the system managing client access, the network entitlement rules, while unalterable by the client, are readable by the client device. This allows the client to understand the network access policies that are being applied to it, promoting transparency and aiding in troubleshooting network connectivity issues.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 9, 2016
August 15, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.